1 / 20

Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists

Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists. Pranav Garg 1 , P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at Urbana-Champaign 2 University of Southampton, UK. Automatic Shapes. Static analysis of heap structures

shima
Download Presentation

Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantified Data Automata on Skinny Trees:an Abstract Domain for Lists Pranav Garg1, P. Madhusudan1 and Gennaro Parlato2 1University of Illinois at Urbana-Champaign 2University of Southampton, UK

  2. Automatic Shapes • Static analysis of heap structures - heaps with a single pointer field • Properties: Universally Quantified properties over heap + data • Introduce Automatic Shapes - abstract domain of automata Automata are classical ways to capture infinite sets of objects using finite means. Aim: - Represent properties of the data stored in the heap. - Build automata that can express universally quantified properties

  3. Universally Quantified Properties on Lists • List pointed to by head is sorted more 9 4 head head 2 5 7 8 4 1 9 9 2 1 • fold-split(key) splits input list into two lists. • Abstract analysis of heap is hard - unbounded size of the heap - unbounded data stored in the heap less

  4. Heap Configurations and Skinny Trees • Restrict to heaps with a single pointer field (acyclic). • Let P: the program’s pointer variables - Heap configuration skinny trees labeled by P • k- skinny tree has at most k- branching points. • Heap configurations are k- skinny trees (k = number of pointer vars.) head1 nil head3 head2 6 1 4 1 $ 7 4 3 5 2 9 8

  5. Quantified Data Automata • Extends Quantified Data Automata over lists [CAV’13] • QDAs logically define universally quantified properties of lists Example:

  6. Quantified Data Automata Fix P – program pointer variables Fix Y – set of quantified variables Fix F – data domain which forms a lattice • QDA over skinny trees: - reads a tree annotated with pointers P and Y - checks whether data stored at these positions satisfy a data property • QDA accepts a tree T with pointers P if it accepts all possible extensions of T with valuations for Y. y1 head data(y1) <= data(y2) y2

  7. Valuation Trees • Valuation tree = Skinny tree over P + valuation for Y Skinny Tree head1 head1 head1 nil nil nil y2 y1 head2 head2 head2 6 6 6 7 4 5 7 9 1 $ 3 4 2 5 9 $ 3 2 4 9 3 2 $ 5 7 1 1 Valuation Trees y2 y1 Universal Quantification QDA accepts a skinny tree iff it accepts ALL corresponding valuation trees.

  8. Quantified Data Automata • Bottom-up, deterministic, register automata over trees - each state labeled with a data formula f • For a valuation tree, QDA reads ptr. and univ. vars. and stores the data values in the register reg. • At the final state, QDA checks if these data values satisfy the formula labeling the state. - reg satisfies f(q) Accepts the valuation tree - regdoes not satisfy f(q) Rejects the valuation tree head1 head1 nil nil y2 y2 head2 head2 reg: head1 5 head2 3 y1 4 y2  7 nil  $ 6 6 7 1 9 7 5 2 3 4 $ 9 1 5 2 3 4 $ f(q) = data(y1) < data(y2) y1 y1

  9. Formula Tree • Formula Tree = (Valuation Tree \ data) paired with a data formula - complete separation of the structure of the heap and its data Define Lf (A) = Language of formula trees accepted by A head1 nil , data(y1) < data(y2) y1 head2 y2

  10. QDAs as a Partial Order • Natural Partial Order -- set inclusion over the language of QDAs - not closed under disjunctions Alternate partial order: • if such that and - Least upper bound associates every tree to - Infinite sets of QDAs might not have a least upper bound. Hence do not form a complete lattice.

  11. Elastic QDAs • Require a notion of widening for analysis of loops - Ignore lengths of stretches of the heap not pointed by variables. nil nil head head y1 y1 head head y1 y1 • QDA: Elastic QDA: • Restriction: • All transitions on blank symbols must be self-loops

  12. Theorems about EQDAs 1. Number of states in a minimal EQDA is bounded - Finite number of EQDAs modulo the data formulas - widening proc. for EQDAs given widening for data formulas. 2. For every QDA, there is a most-precise over-approximating EQDA (in terms of their accepting languages)  elastification EQDAs form a complete lattice abstract domain 3. EQDAs correspond to decidable STRAND logic [POPL’11] over lists. - Abstract interpretation using EQDAs can be used for checking STRAND assertions.

  13. Abstract transformer over EQDAs • Strongest post condition involves existential quantification of the pre-state + constraining post-state acc. to the semantics of the stmt. Example: strongest-post( ) = • These precise post-conditions are not expressible by QDAs. • Over-approximate the post-condition to: - eliminate existential quantifier via quantifier elimination for the structure (Guard) using automata, and data-formulas (Data) separately. /\ Guard => Data

  14. Abstract transformer over EQDAs Pointer Assignment statement pi := pj Similar abstract transformer for structure manipulating statements: Pointer Lookup pi:=pj.next Pointer Mutate pi .next :=pj Allocate new pi … pi := pj , pi pj pj b pi pi pi := pj

  15. Abstract transformer over EQDAs Data Assignment statement pi .data :=data_exp Slightly more involved: - Also account for all variables which point to the same node as pi pi .data := data_exp pi pi

  16. Abstract transformer over EQDAs elastification stmt • A’ might not be elastic. • Use the most-precise over-approximation result to get an EQDA. - defines the actual abstract transformer over EQDAs • Fix-point computation of the abstract semantics terminates - widening for the data domain EQDA QDA EQDA

  17. Experiments • Simple programming language consisting of heap allocation, pointer assignment, pointer lookup, pointer mutate, … • Given a STRAND formula as pre-condition, construct the corresponding EQDA. • Compute the abstract semantics of the program over EQDAs using the abstract transformer. • Fix-point EQDAs are translated to decidable STRAND formulas over lists to verify program assertions, post-conditions. - Instantiate data-formulas with the octagonal domain (using Apron). - Prototype implementation available at http://web.engr.illinois.edu/~garg11/qsdas.html

  18. Experiments

  19. Related Work (Shape Analysis) • Merges nodes that satisfy the same predicates - unary + instrumentation predicates • Instrumentation predicates provided by the user - often complex, - very particular to the program being verified Example: sub-list before pointer i is sorted, that is - instrumentation predicate required Clearly, - s(x) too dependent on the property being verified - complex (writing binary property as a unary predicate)

  20. Conclusion • Automatic Shapes – an abstract domain of automata - can express universally quantified properties of lists - can prove these properties precisely and efficiently Future Work • Extensions to trees to capture universally quantified properties like binary-search-tree, max-heap, … • Extensions to general graphs using graph automatons. Thank You !

More Related